Collaborative Defense against Periodic Shrew DDoS Attacks in Frequency Domain

The shrew or pulsing DDoS (Distributed Denial-of-Service) attacks, also known as RoQ (Reduction of Quality) attacks, are stealthy, periodic, and low-rate in volume. The shrew attacks could be even more detrimental to network resources than the flooding type of DDoS attacks. Shrew attacks appear periodically in low volume, thereby damaging the victim servers for a long time without being detected. This in turn leads to denying new visitors to the victim servers (which are mostly e-commerce sites). Hence, there is a pressing need to effectively detect shrew attacks in real-time, and to fend off these attacks at the victim sites at the earliest possible time. Unfortunately, there is still a void in research on effective detection of shrew DDoS attacks. In this paper, we propose a new digital signal processing (DSP) approach to detecting the shrew attacks embedded in legitimate traffic flows. We detect with the frequency-domain characteristics from the autocorrelation sequence of Internet traffic streams. This approach enables collaborative detection across multiple routers. The new detection scheme appeals to hardware implementation based on DSP technology. Our new detection technique requires only a few seconds for successful detection of shrew DDoS attacks. Furthermore, the technique entails only lightweight implementation in a real-life network environment. We developed a network-layer multicast protocol LocalCast to support collaborative detection without burdening the end hosts. The protocol adds more intelligence to active networks and enables the routers to filter out malicious traffic flows with minimum collateral damage to legitimate traffic flows. This frequencydomain defense scheme provides more robustness and intelligence in IP networks, which will enable the integration of more security functionality into Internet routers to protect sensitive applications.